Segfault compiling specially crafted sass file into CSS

[brandonprry]

Hello, currently testing version 3.3.4 from git

# ./version.sh 
3.3.4
# git log | head -n 9
commit 213339a802827fab23cb61b79ad7d592fad33c2d
Merge: f5b02c9 32c921a
Author: Michael Mifsud <xzyfer@gmail.com>
Date:   Fri Mar 18 01:51:35 2016 +1100

    Merge pull request #1955 from xzyfer/fix/issue-1644

    Fix error not being thrown when & is used without a parent selector

#

The following file:

:000000#{00}000000{//
}

minimized from:

@im+ w\dth:5clner #{n: w\dth:5>0Qx;
  }button {
  //levxe buttons mixin
  @inclner #{n: w\dth:500Qx;
  }
}

causes an assertion failure and a use-after-free.

# ~/parser id:001088,sig:06,src:002784+006448,op:splice,rep:2
parser: src/json.cpp:1144: void emit_string(SB *, const char *): Assertion `utf8_validate(str)' failed.
Aborted
# cat id\:001088\,sig\:06\,src\:002784+006448\,op\:splice\,rep\:2.min | ~/sassc_asan 
=================================================================
==8775==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000cd60 at pc 0x7f97df7272a1 bp 0x7ffc94c54650 sp 0x7ffc94c54648
READ of size 1 at 0x60300000cd60 thread T0
    #0 0x7f97df7272a0  (/root/libsass//lib/libsass.so+0x3f82a0)
    #1 0x7f97df72ab1b  (/root/libsass//lib/libsass.so+0x3fbb1b)
    #2 0x7f97df72a009  (/root/libsass//lib/libsass.so+0x3fb009)
    #3 0x4dc533  (/root/sassc_asan+0x4dc533)
    #4 0x4dd034  (/root/sassc_asan+0x4dd034)
    #5 0x7f97de2bea3f  (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #6 0x435e48  (/root/sassc_asan+0x435e48)

0x60300000cd60 is located 0 bytes inside of 31-byte region [0x60300000cd60,0x60300000cd7f)
freed by thread T0 here:
    #0 0x4bcb32  (/root/sassc_asan+0x4bcb32)
    #1 0x7f97df51be14  (/root/libsass//lib/libsass.so+0x1ece14)
    #2 0x7f97df525ddd  (/root/libsass//lib/libsass.so+0x1f6ddd)
    #3 0x7f97df53a447  (/root/libsass//lib/libsass.so+0x20b447)
    #4 0x7f97df525066  (/root/libsass//lib/libsass.so+0x1f6066)
    #5 0x7f97df4a34fc  (/root/libsass//lib/libsass.so+0x1744fc)
    #6 0x7f97df4a2835  (/root/libsass//lib/libsass.so+0x173835)
    #7 0x7f97df72a8fb  (/root/libsass//lib/libsass.so+0x3fb8fb)
    #8 0x7f97df72a009  (/root/libsass//lib/libsass.so+0x3fb009)
    #9 0x4dc533  (/root/sassc_asan+0x4dc533)
    #10 0x4dd034  (/root/sassc_asan+0x4dd034)
    #11 0x7f97de2bea3f  (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

previously allocated by thread T0 here:
    #0 0x4bce12  (/root/sassc_asan+0x4bce12)
    #1 0x7f97ded33187  (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8e187)

Shadow bytes around the buggy address:
  0x0c067fff9950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9960: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fa fa
  0x0c067fff9970: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff9980: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff9990: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
=>0x0c067fff99a0: fd fd fd fd fa fa fd fd fd fd fa fa[fd]fd fd fd
  0x0c067fff99b0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x0c067fff99c0: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fff99d0: 00 00 01 fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c067fff99e0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff99f0: fd fa fa fa fd fd fd fa fa fa 00 00 01 fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8775==ABORTING

[xzyfer]

Sorry @brandonprry I'm finding your report hard to follow. Please produce a copy-pastable sample of code that produces this problem so I can debug locally.

[brandonprry]

I am not sure what else I can show you, the above has many commands to run as well as the input to use to crash sassc.

# cat id\:001088\,sig\:06\,src\:002784+006448\,op\:splice\,rep\:2.min 
:000000#{00}000000{//
}
# 
# cat id\:001088\,sig\:06\,src\:002784+006448\,op\:splice\,rep\:2.min | ~/sassc/bin/sassc 
=================================================================
==29872==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000cd60 at pc 0x7f7f62fad2a1 bp 0x7ffdb25ada90 sp 0x7ffdb25ada88
READ of size 1 at 0x60300000cd60 thread T0
    #0 0x7f7f62fad2a0  (/root/libsass//lib/libsass.so+0x3f82a0)
    #1 0x7f7f62fb0b1b  (/root/libsass//lib/libsass.so+0x3fbb1b)
    #2 0x7f7f62fb0009  (/root/libsass//lib/libsass.so+0x3fb009)
    #3 0x4dc533  (/root/sassc/bin/sassc+0x4dc533)
    #4 0x4dd034  (/root/sassc/bin/sassc+0x4dd034)
    #5 0x7f7f61b44a3f  (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #6 0x435e48  (/root/sassc/bin/sassc+0x435e48)

0x60300000cd60 is located 0 bytes inside of 31-byte region [0x60300000cd60,0x60300000cd7f)
freed by thread T0 here:
    #0 0x4bcb32  (/root/sassc/bin/sassc+0x4bcb32)
    #1 0x7f7f62da1e14  (/root/libsass//lib/libsass.so+0x1ece14)
    #2 0x7f7f62dabddd  (/root/libsass//lib/libsass.so+0x1f6ddd)
    #3 0x7f7f62dc0447  (/root/libsass//lib/libsass.so+0x20b447)
    #4 0x7f7f62dab066  (/root/libsass//lib/libsass.so+0x1f6066)
    #5 0x7f7f62d294fc  (/root/libsass//lib/libsass.so+0x1744fc)
    #6 0x7f7f62d28835  (/root/libsass//lib/libsass.so+0x173835)
    #7 0x7f7f62fb08fb  (/root/libsass//lib/libsass.so+0x3fb8fb)
    #8 0x7f7f62fb0009  (/root/libsass//lib/libsass.so+0x3fb009)
    #9 0x4dc533  (/root/sassc/bin/sassc+0x4dc533)
    #10 0x4dd034  (/root/sassc/bin/sassc+0x4dd034)
    #11 0x7f7f61b44a3f  (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

previously allocated by thread T0 here:
    #0 0x4bce12  (/root/sassc/bin/sassc+0x4bce12)
    #1 0x7f7f625b9187  (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8e187)

Shadow bytes around the buggy address:
  0x0c067fff9950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9960: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fa fa
  0x0c067fff9970: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff9980: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff9990: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
=>0x0c067fff99a0: fd fd fd fd fa fa fd fd fd fd fa fa[fd]fd fd fd
  0x0c067fff99b0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x0c067fff99c0: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fff99d0: 00 00 01 fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c067fff99e0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff99f0: fd fa fa fa fd fd fd fa fa fa 00 00 01 fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29872==ABORTING

[xzyfer]

Are you reporting that the following Sass code produces a segfault?

:000000#{00}000000{//
}

If so, I am unable to reproduce with 213339a. What is your environment?

[brandonprry]

Yes, that is correct. This is ubuntu wily, built from source from git.

# ./version.sh 
3.3.4
# git log | head -n 9
commit 213339a802827fab23cb61b79ad7d592fad33c2d
Merge: f5b02c9 32c921a
Author: Michael Mifsud <xzyfer@gmail.com>
Date:   Fri Mar 18 01:51:35 2016 +1100

    Merge pull request #1955 from xzyfer/fix/issue-1644

    Fix error not being thrown when & is used without a parent selector

#

[brandonprry]

What is the output that you get?

[xzyfer]

I get the following output

Error: Invalid CSS after ":": expected pseudoclass or pseudoelement, was "00000000000000{"
        on line 11 of test.scss
>>
   ^

Running OS X 10.11.4. What compiler are you using?

$ gcc -v
Configured with: --prefix=/Applications/Xcode.app/Contents/Developer/usr --with-gxx-include-dir=/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk/usr/include/c++/4.2.1
Apple LLVM version 7.0.2 (clang-700.1.81)
Target: x86_64-apple-dar

[xzyfer]

Is this the path of the file you're compiling?

id:001088,sig:06,src:002784+006448,op:splice,rep:2.min

If so, that may be the issue. Can you try something more standard like /tmp/test.scss?

[brandonprry]

If you build absolute latest as such:

# export CFLAGS="-fsanitize=address -O1 -fno-omit-frame-pointer" CXXFLAGS="-fsanitize=address -O1 -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address -fno-omit-frame-pointer"
# make clean build-shared

Then run my input through the newly-built sassc compiler, you should see what I am talking about.

[xzyfer]

I am still unable to reproduce this.

// test.scss
@im+ w\dth:5clner #{n: w\dth:5>0Qx;
  }button {
  //levxe buttons mixin
  @inclner #{n: w\dth:500Qx;
  }
}

$ CFLAGS="-fsanitize=address -O1 -fno-omit-frame-pointer" CXXFLAGS="-fsanitize=address -O1 -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address -fno-omit-frame-pointer" make clean build-shared
$ bin/sassc test.scss
Error: Invalid CSS after ":": expected pseudoclass or pseudoelement, was "5clner nbutton{"
        on line 2 of test.scss
>>
   ----------^

[brandonprry]

You should export the environment variables, not just use them in front of make. Otherwise, they are not picked up by libsass when make is called there to build and you do not get the same result I have.

[xzyfer]

Ok I've finally been able to reproduce this with the follow reduced test case

@a b:1 #{;} {}

[mgreter]

Might be that sassc destroys the context too early before actually priniting the error message?

[mgreter]

Closing this a duplicate of #2046 since chances are high you are exactly seeing this here. If not feel free to re-open and to take some inspiration from said bug report, specially since @asottile provided a repo for easy reproduction of the problem.